News

18 posts

v0.4 Released!

This release includes basic timeline functionality – it’s useful in a number of scenarios, but mostly to highlight if there were lengthy gaps between two files being created. This version also includes much better match analysis – hopefully it’s of more use now, as it analyses more exif fields and gives you a better comparison. I’ll keep improving both of these functions in the coming weeks.


Change Log:

  • Basic Timeline Analysis!
  • Much improved Match Analysis.
  • User feedback when processing files (so you know it hasn’t frozen!).
  • GUI bug fixes.

Get it here: https://github.com/globalcrimadmin/metadata/releases/download/v0.4/Metadata.Interrogator.v04.exe

Version 0.3 Released

Ho, Ho, Ho,
Now I have a machi…Happy Christmas ! The best Christmas present of all has come:

Version 0.3 (named McClane – obviously) is released with two new, major features!

First and foremost, I’ve added in the Hachoir metadata libraries – these drag out even more metadata on a wider variety of files. Pretty much every major file type is now supported, with metadata on EXE’s, Videos and Audio files as well as all the previous ones. There may be some duplication in fields, which I’ll whittle down in future releases.

The second feature is basic comparison functionality to see what the differences are between two files. I hope to improve on this substantially in future releases, but it’s a start.

I’ve also cleaned up the UI substantially now that we know we’re sticking to the Pandastable version (see Trimming Down the Metadata Interrogator) and now that I’m happier with how it’s going I’ve laid the groundwork for easier expansion.

Change Log:

  • Added Hachoir parsing!
  • Rudimentary file comparison
  • Added Settings panel to help adjust the layout better.
  • Squashed a lot of bugs.
  • GUI resizing works properly now.
  • A few more (hopefully descriptive) error messages instead of it just quietly not working.
  • Complete separation of GUI and analysis in the code.

Get it here: https://github.com/globalcrimadmin/metadata/releases/download/McClane/Metadata.Interrogator.v03.exe

Trimming down the Metadata Interrogator

Currently, Metadata Interrogator comes in at a completely-unreasonable-in-this-day-and-age 76mb file size. As promised, an attempt was made to reduce the size of Metadata Interrogator by using a different table GUI (pure TKinter rather than Pandastable). Unfortunately, even with my best efforts the file size reduction wasn’t that significant – 76mb to 55mb.

Whilst it is a reduction in size (and I might be able to shave off another 5-10mb) – for the reduction in functionality (and extra work in maintaining two versions) it’s not really worth it.

Now that we’re in the age of widespread broadband, terabyte USB sticks and colour TVs I feel it’s a roughly acceptable file size, although do get in touch if you have a really burning use-case for a much smaller file size.

Going forward, I’ll be working on new functionality and optimising the load. I’ll also release a zipped package version which should run faster and still stay relatively portable.

Digital Document Forensics Training

Digital Document Forensics (DDF) is what Metadata Interrogator is all about really, it’s trying to gather as much information as possible from a file – especially any ‘hidden’ attributes that might give us clues to who/what/where/when/how the file was made. 

This has obvious utility in a number of sectors, but if you’re interested in using it for counter-fraud/customer validation/KYC then you might be interested in an online course that I run on the subject. Your keen forensic senses might be able to warn you this is a slightly promotional post.

At the moment, the course doesn’t use metadata interrogator as I’m not quite happy it’s stable enough (although hopefully that will change soon!) and the course itself is much wider in scope than just gathering metadata. You also get a fancy certificate.

The training course covers (amongst other things):

  • PDF, MS Office and Image file specific analysis 
  • Email Analysis
  • File Signature analysis/magic numbers
  • Best practice of evidence handling (Hashing/storage)
  • Creating a professional forensic report.

If you’re interested, head over to: http://pdacounterfraud.co.uk/forensic-document-analysis/

MakerNote – the greatest secret there ever was.

You may or may not have noticed that there are tons of MakerNote fields that come up when photos are analysed. Some of these are followed by a descriptor, some just have something like 0x0002 and then a jumble of numbers and letters as the result. Whilst it sounds unlikely, this isn’t my awful programming causing this.

The MakerNote fields are custom fields allowed within the Exif standard that allow device manufacturers to store whatever they want in them. For some reason, these fields are also a jealously guarded secret by companies – some just aren’t listed, and others are encrypted. Even with my biggest and shiniest security hat on I can’t really understand what they could be storing in them that requires such security – I don’t know what you’d need to store on a file that would give insight into anything proprietary or that would have security implications.

Various efforts have gone into trying to decipher what these fields mean (and the ones known are included in Metadata Interrogator) however some are very difficult to guess. If there’s anyone out there that wants to team up on trying to decipher the fields of common devices, please get in touch.

Version 0.2.1 Released

v0.2.1

This is a minor release, but it’s a HUGE improvement in analysis speed. No new features though.

Change Log:

  • Much¬†improved speed of file analysis at very small cost to start up time.
  • Tiny improvement on file size.
  • Yet more moustaches.

Version 0.2.0 Released

Version 0.2.0 has been released!

Change log:

  • No longer needs to download anything for geo-coding; it’s now completely offline!
  • Should be slightly faster due to a bit of a clean-up.
  • Minor cosmetic improvements.
  • More moustaches.

Version 0.1 Released

The very first version is released – poorly optimised, with a lot of file support missing. It should work for all major formats, and scrape *something* from most others.
The download is hosted on github currently, but will be moving to a proper CDN if it has enough/any interest.

A lite version (without the data tools) will be released shortly.